Cybersecurity
As the level of digitalisation progresses, electricity networks are increasingly being controlled and monitored using smart information and communications technology. This increases the risk of the availability, integrity and confidentiality of data being compromised. In extreme cases, cyberattacks can result in extensive power outages and serious consequential damage. This means cybersecurity is now a crucial factor in ensuring secure electricity supply.
The network operators are responsible for providing a safe, high-performance and efficient network (Art. 8 ESA) and must ensure appropriate protection against cyberthreats (Art. 8a ESA and Art. 5a ESO; SR 734.71). Art. 8a ESA and Art. 5a ESO also apply to certain electricity producers, storage facility operators and service providers. The secure operation of the Swiss electricity grid must not be jeopardised in the event of a cyberattack.
To meet the legal requirements, ElCom expects the companies concerned to use the industry-relevant documents ‘ICT Continuity’, ‘Handbuch Grundschutz für Operational Technology in der Stromversorgung’ (Handbook on basic protection of operational electricity supply technology), ‘Richtlinien für die Datensicherheit von intelligenten Messsystemen’ (Guidelines on the data security of smart meters) and ‘Leitfaden und Werkzeuge zur Steigerung der IKT-Resilienz in der Strombranche’ issued by the Association of Swiss Electricity Companies. Measures must be implemented efficiently adopting a risk-based approach.
ElCom pursues a risk-based approach in its supervisory activities. The aim is to improve resilience against cyberthreats. Companies are monitored to different extents, depending on their relevance and level of risk in relation to the secure and stable operation of the Swiss electricity grid. This enables ElCom to assess whether the measures being taken are adequate for the level of risk and to ensure compliance with the legal requirements. ElCom may issue recommendations and/or impose measures if required.